Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TheOnlyJames
New Contributor III

Created on ‎08-21-2024 02:28 AM

Captive Portal - Account Delivery of Guest credentials

I have a working (99%) Captive portal, User gets a captive portal registration page, fills in a few details and then it is set for admin approval, the problem is, the user never gets sent the random password? 

 

I have left the admin email address out on this screenshot, but, my understanding is, the admin gets an email to say "approve" and then the details get emailed to the guest?

 

when I hover over the "Account Delivery options available to the user" it says "Account information can not be displayed when admin approval is required"

 

does this mean, as soon as the admin approves, they have access?  how would they know what the random password is? very confusing!

Thanks

 

Capture2.PNG

 

 

Labels:
468
0 Kudos
6 REPLIES 6
ryukseo
New Contributor

Created on ‎08-21-2024 03:48 AM

The reason I say that about the latter is that all a threat actor needs to do is stand up an AP with a honeypot that mimics your captive portal's login screen, and then goes to a page that says, "Oops, something went wrong. Click here to try again" and they can harvest AD credentials.

452
0 Kudos
TheOnlyJames
New Contributor III
In response to ryukseo

Created on ‎08-21-2024 04:04 AM

That doesn't answer either of my questions? How should this be setup?

446
0 Kudos
ebilcari
Staff
Staff

Created on ‎08-21-2024 05:25 AM

After the approval, guest should receive its credentials via email or SMS as shown also here, 'The Display on browser page option is only available if administrator approval is not required'.

Is the SMTP server currently configured in FAC? There are some SMTP server that restrict the relay functions for the the external domains.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
413
0 Kudos
TheOnlyJames
New Contributor III
In response to ebilcari

Created on ‎08-21-2024 05:34 AM

Yes, its set to "email" and he did get an email about 10 minutes later! I wonder if SMS is quicker?

 

I can see he registers, gets put into the "GUEST" group on the FAC, and the Fortigate uses that group "remote server group" to authenticate, but the FAC logs show the error "Authentication failed: NAS cannot find user realm"  the Realm is set to local! where the guest group is.

408
0 Kudos
ebilcari
Staff
Staff
In response to TheOnlyJames

Created on ‎08-22-2024 02:13 AM

I think that the delay is added by the mail server or any email security in between. You can check from the FAC logs, network or on the server side, the email should leave FAC quickly.

I think that you shouldn't configure 'Restricted to Groups' in FGT in this case.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
362
0 Kudos
TheOnlyJames
New Contributor III
In response to ebilcari

Created on ‎08-22-2024 02:19 AM

OK, That is something I need to look at, the delay is not acceptable, what about:

 

I can see he registers, gets put into the "GUEST" group on the FAC, and the Fortigate uses that group "remote server group" to authenticate, but the FAC logs show the error "Authentication failed: NAS cannot find user realm"  the Realm is set to local! where the guest group is.. any idea?

Thanks

357
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.